IssuerConstraints Plug-in Module94 Netscape Certificate Management System Plug-Ins Guide • March 2002DSAKeyRule RuleThe rule named DSAKeyRule is an instance of the DSAKeyConstraints module.Certificate Management System automatically creates this rule during installation.By default, the rule is configured as follows:• The rule is enabled.• The predicate expression is left blank so that the rule is applied to all certificateenrollment and renewal requests processed by the server.• The minimum key size permitted for certificates is 512 bits (minSize=512).• The maximum key size permitted for certificates is 1024 bits (maxSize=1024).• The exponents allowed are 3, 7, 17, and 65537 (exponents=3,7,17,65537).For details on individual parameters defined in the rule, see Table 3-3 on page 93.You need to review this rule and make the changes appropriate for your PKI setup.For instructions, see section “Step 2. Modify Existing Policy Rules” in Chapter 18,“Setting Up Policies” of CMS Installation and Setup Guide. For instructions onadding additional instances, see section “Step 4. Add New Policy Rules” in thesame chapter.IssuerConstraints Plug-in ModuleThe IssuerConstraints plug-in module implements the issuer constraints policy.The policy enables you to effectively deploy certificate-based enrollment explainedin “Certificate-Based Enrollment” on page 50.The policy enables the Certificate Manager to authenticate an end user by checkingthe issuer DN of the CA that has issued the certificate the user presents as anenrollment token during enrollment. Note that in the current implementation, theCA that issues the new certificates must be the same as the one that has issued thecertificates used for SSL client authentication; that is, the issuer DN in theauthentication certificate must match the issuer DN specified in the policyconfiguration.During installation, Certificate Management System automatically creates aninstance of the issuer constraints policy. See “IssuerRule Rule” on page 96. Theserver also provides appropriate enrollment forms for the three certificate-basedenrollment scenarios explained above; see “Enrollment Forms” on page 53.